Hello,
we are running our own (self-signed) PKI with a 3 level hierarchy
(itrootCA -> itCA -> tmspCA -> cas-server), and I have problem
configuring tomcat to load that CA-chain, when tomcat start it generate
an SEVERE Error
SEVERE: Error initializing endpoint
java.io.IOException: DerInputStream.getLength(): lengthTag=109, too big.
I load the cas server certificate on the 8443 connector
<Connector port="8443" maxHttpHeaderSize="8192"
keystoreFile="/etc/tomcat5/cas1_tmsp_openssl.p12"
keystorePass="secret" keystoreType="pkcs12" />
and I load the CA-chain from CATALINA_OPTS env variable:
CATALINA_OPTS="-Djavax.net.ssl.trustStore=/etc/tomcat5/ca-chain-IT-tmspca-itca-itrootca.keystore
-Djavax.net.ssl.trustStorePassword=secret"
The ca-chain keystore do contain the 3 level CA hierachy:
[EMAIL PROTECTED] /etc/tomcat5]
$ keytool -list -v -keystore ./ca-chain-IT-tmspca-itca-itrootca.keystore
| grep Owner
Enter keystore password: secret
Owner: C=fr, O=Institut TELECOM, OU=Institut TELECOM, CN=Institut
TELECOM class2 Certificate Authority
Owner: C=fr, O=Institut TELECOM, CN=Institut TELECOM Root class1
Certificate Authority
Owner: C=fr, O=TELECOM & Management SudParis, OU=TELECOM & Management
SudParis, CN=TELECOM & Management SudParis class3 Certificate Authority
I googled that error "...too big.." and saw remarks abour DER vs PEM
format, so here's how I created the above keystore
[EMAIL PROTECTED] /etc/tomcat5]
$ keytool -import -keystore ca-chain-IT-tmspca-itca-itrootca.keystore
-file /etc/pki/tls/certs/itrootca.crt -alias IT_CA_class1
and the same with the 2 other levels
Why tomcat is complaining about "
java.io.IOException: DerInputStream.getLength(): lengthTag=109, too big.
is my certificate chain too long !? or in bad format ? how can I check
that ?
Thanks.
PS:
I run java-1.6.0-sun-1.6.0.01-1.el5 and tomcat5-5.5.23-0jpp.7.el5_2.1
here's tomcat catalina.out full logs at stratup:
Using CATALINA_BASE: /usr/share/tomcat5
Using CATALINA_HOME: /usr/share/tomcat5
Using CATALINA_TMPDIR: /usr/share/tomcat5/temp
Using JRE_HOME:
Dec 1, 2008 6:10:52 PM org.apache.catalina.core.AprLifecycleListener
lifecycleEvent
INFO: The Apache Tomcat Native library which allows optimal performance
in production environments was not found on the java.library.path:
/usr/lib/jvm/java-1.6.0-sun-1.6.0.01/jre/lib/i386/client:/usr/lib/jvm/java-1.6.0-sun-1.6.0.01/jre/lib/i386:/usr/lib/jvm/java-1.6.0-sun-1.6.0.01/jre/../lib/i386:/usr/java/packages/lib/i386:/lib:/usr/lib
Dec 1, 2008 6:10:53 PM org.apache.coyote.http11.Http11BaseProtocol init
INFO: Initializing Coyote HTTP/1.1 on http-8080
Dec 1, 2008 6:10:53 PM org.apache.coyote.http11.Http11BaseProtocol init
SEVERE: Error initializing endpoint
java.io.IOException: DerInputStream.getLength(): lengthTag=109, too big.
at sun.security.util.DerInputStream.getLength(DerInputStream.java:544)
at sun.security.util.DerValue.init(DerValue.java:346)
at sun.security.util.DerValue.<init>(DerValue.java:302)
at
com.sun.net.ssl.internal.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:1200)
at java.security.KeyStore.load(KeyStore.java:1185)
at
org.apache.tomcat.util.net.jsse.JSSESocketFactory.getStore(JSSESocketFactory.java:287)
at
org.apache.tomcat.util.net.jsse.JSSESocketFactory.getTrustStore(JSSESocketFactory.java:261)
at
org.apache.tomcat.util.net.jsse.JSSE14SocketFactory.getTrustManagers(JSSE14SocketFactory.java:175)
at
org.apache.tomcat.util.net.jsse.JSSE14SocketFactory.init(JSSE14SocketFactory.java:112)
at
org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:89)
at
org.apache.tomcat.util.net.PoolTcpEndpoint.initEndpoint(PoolTcpEndpoint.java:293)
at
org.apache.coyote.http11.Http11BaseProtocol.init(Http11BaseProtocol.java:139)
at
org.apache.catalina.connector.Connector.initialize(Connector.java:1017)
at
org.apache.catalina.core.StandardService.initialize(StandardService.java:578)
at
org.apache.catalina.core.StandardServer.initialize(StandardServer.java:782)
at org.apache.catalina.startup.Catalina.load(Catalina.java:504)
at org.apache.catalina.startup.Catalina.load(Catalina.java:524)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:267)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:432)
Dec 1, 2008 6:10:53 PM org.apache.catalina.startup.Catalina load
SEVERE: Catalina.start
LifecycleException: Protocol handler initialization failed:
java.io.IOException: DerInputStream.getLength(): lengthTag=109, too big.
at
org.apache.catalina.connector.Connector.initialize(Connector.java:1019)
at
org.apache.catalina.core.StandardService.initialize(StandardService.java:578)
at
org.apache.catalina.core.StandardServer.initialize(StandardServer.java:782)
at org.apache.catalina.startup.Catalina.load(Catalina.java:504)
at org.apache.catalina.startup.Catalina.load(Catalina.java:524)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:267)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:432)
Dec 1, 2008 6:10:53 PM org.apache.catalina.startup.Catalina load
INFO: Initialization processed in 763 ms
Dec 1, 2008 6:10:53 PM org.apache.catalina.core.StandardService start
INFO: Starting service Catalina
Dec 1, 2008 6:10:53 PM org.apache.catalina.core.StandardEngine start
INFO: Starting Servlet Engine: Apache Tomcat/5.5.23
Dec 1, 2008 6:10:53 PM org.apache.catalina.core.StandardHost start
INFO: XML validation disabled
_______________________________________________
Yale CAS mailing list
[email protected]
http://tp.its.yale.edu/mailman/listinfo/cas
